PNG  IHDRxsBIT|d pHYs+tEXtSoftwarewww.inkscape.org<,tEXtComment File Manager

File Manager

Path: /opt/alt/python311/lib/python3.11/site-packages/pyroute2/decoder/

Viewing File: main.py

'''
This tool is intended to decode existing data dumps produced with
other tools like tcpdump or strace, and print the data out in
JSON format.

The strace tool is not as convenient since version 4.13, as it
started to parse some of netlink messages at least partly,
rendering them useless for third party decoders. So if you plan
to use strace to obtain messages, be sure it is older than 4.13.
The strace related manual can be found in archive documentation
for older pyroute2 versions.

This manual is focused on pcap dumps.

An example session:

.. code-block:: console

    # set up netlink monitoring interface
    sudo ip link add dev nlmon0 type nlmon
    sudo ip link set dev nlmon0 up

    # dump the traffic into a pcap file
    # run netlink communication to be captured at the same time
    sudo tcpdump -i nlmon0 -w nl.pcap
    ^C

    # decode RTNL messages from the dump
    pyroute2-decoder \\
            -c pyroute2.netlink.rtnl.marshal.MarshalRtnl \\
            -d nl.pcap \\
            -m "ll_header{family=0}"

The result will be printed out in JSON format, so you can load
it directly from stdout, or use jq tool to navigate:

.. code-block:: console

    # print only pcap headers information
    pyroute2-decoder ... | jq '.[]."pcap header"'

pcap data dumps
~~~~~~~~~~~~~~~

This format is the default for `pyroute2-decoder`. To explicitly instruct
the decoder to use the pcap format, use `-f pcap` or `--format pcap`.

An ordinary everyday normal pcap dumps produced by tcpdump. The format
is described here shortly and only to the extent that is important for
the decoder. Please see other resources for detailed pcap format
descriptions. Pyroute2 decoder expect these headers in the pcap dump:

* Pcap file header. This header is being decoded, but not used by the
  tools as for now.
* Packet header. From this header the decoder uses only `incl_len` to
  properly read the stored data.
* Link layer header. From this header only the family field is used as
  for now, it can be matched with `ll_header{family=...}` expression.

hex data dumps
~~~~~~~~~~~~~~

Use `-f hex` or `--format hex`.

Just a raw data flow with no service headers added. The decoder uses
message headers to calculate the buffer lengths to read. This dump
can be obtained using strace or the IPBatch compiler.

Data should use hex bytes representation either in escaped or in
colon separated format. Equivalent variants:

* `\\\\x49\\\\x61\\\\x03\\\\x55`
* `49:61:03:55`

Comment strings start with `#`, comments and whitespaces are ignored.
A message example:

.. code-block::

    # ifinfmsg headers
    #
    # nlmsg header
    \\x84\\x00\\x00\\x00  # length
    \\x10\\x00          # type
    \\x05\\x06          # flags
    \\x49\\x61\\x03\\x55  # sequence number
    \\x00\\x00\\x00\\x00  # pid
    # RTNL header
    \\x00\\x00          # ifi_family
    \\x00\\x00          # ifi_type
    \\x00\\x00\\x00\\x00  # ifi_index
    \\x00\\x00\\x00\\x00  # ifi_flags
    \\x00\\x00\\x00\\x00  # ifi_change
    # ...


message classes
~~~~~~~~~~~~~~~

In order to properly debug the stream, one should specify either
a message class, or a marshal class:

.. code-block:: console

    # use a message class
    pyroute2-decoder \\
            -c pyroute2.netlink.generic.ipvs.ipvsmsg \\
            ...

    # use a marshal class
    pyroute2-decoder \\
            -c pyroute2.netlink.rtnl.marshal.MarshalRtnl \\
            ...

The decoder will try to use the specified class to decode every
matching message. That work well for generic protocols, but for other
protocols like RTNL it's more convenient to use marshal classes
that return corresponding message classes for different message
types.

generic protocols ids
~~~~~~~~~~~~~~~~~~~~~

Generic netlink protocols have dynamic IDs, so the first operation is to
get the ID. The message class used for that is `pyroute2.netlink.ctrlmsg`,
the request is `CTRL_CMD_GETFAMILY == 3`, and the response is
`CTRL_CMD_NEWFAMILY == 1`. The command is one byte right after the netlink
header, so the filters are:

* `ll_header{family=16}` match family 16, NETLINK_GENERIC
* `data{fmt='B', offset=16, value=1}` match one byte with
  value 1 by offset 16

Here is the code to get the family ID:

.. code-block:: console

    pyroute2-decoder \\
        -c pyroute2.netlink.ctrlmsg \\
        -d nl.pcap \\
        -m "ll_header{family=16} AND data{fmt='B', offset=16, value=1}" | \\
    jq \\
        '.[0].data.attrs[] | select(.[0] | contains("FAMILY"))'

    [
          "CTRL_ATTR_FAMILY_NAME",
          "IPVS"
    ]
    [
          "CTRL_ATTR_FAMILY_ID",
          37
    ]

Having the family ID you can filter out relevant messages. The filters:

* `ll_header{family=16}` match family 16, NETLINK_GENERIC
* `data{fmt='H', offset=4, value=37}` match IPVS family ID in
  the message header
* `data{fmt='B', offset=16, value=1}` match IPVS_CMD_NEW_SERVICE

.. code-block:: console

    pyroute2-decoder \\
        -c pyroute2.netlink.generic.ipvs.ipvsmsg \\
        -d nl0.pcap \\
        -m "ll_header{family=16} \\
            AND data{fmt='H', offset=4, value=37} \\
            AND data{fmt='B', offset=16, value=1}"


'''

import json

from pyroute2.common import hexdump
from pyroute2.decoder.args import parse_args
from pyroute2.decoder.loader import get_loader


def run():
    loader = get_loader(parse_args())
    ret = []
    for message in loader.data:
        ret.append(message.dump())
    print(json.dumps(ret, indent=4, default=lambda x: hexdump(x)))


if __name__ == "__main__":
    run()
b IDATxytVսϓ22 A@IR :hCiZ[v*E:WũZA ^dQeQ @ !jZ'>gsV仿$|?g)&x-EIENT ;@xT.i%-X}SvS5.r/UHz^_$-W"w)Ɗ/@Z &IoX P$K}JzX:;` &, ŋui,e6mX ԵrKb1ԗ)DADADADADADADADADADADADADADADADADADADADADADADADADADADADADADADADADADADADADADADADADADA݀!I*]R;I2$eZ#ORZSrr6mteffu*((Pu'v{DIߔ4^pIm'77WEEE;vƎ4-$]'RI{\I&G :IHJ DWBB=\WR޽m o$K(V9ABB.}jѢv`^?IOȅ} ڶmG}T#FJ`56$-ھ}FI&v;0(h;Б38CӧOWf!;A i:F_m9s&|q%=#wZprrrla A &P\\СC[A#! {olF} `E2}MK/vV)i{4BffV\|ۭX`b@kɶ@%i$K z5zhmX[IXZ` 'b%$r5M4º/l ԃߖxhʔ)[@=} K6IM}^5k㏷݆z ΗÿO:gdGBmyT/@+Vɶ纽z񕏵l.y޴it뭷zV0[Y^>Wsqs}\/@$(T7f.InݺiR$푔n.~?H))\ZRW'Mo~v Ov6oԃxz! S,&xm/yɞԟ?'uaSѽb,8GלKboi&3t7Y,)JJ c[nzӳdE&KsZLӄ I?@&%ӟ۶mSMMњ0iؐSZ,|J+N ~,0A0!5%Q-YQQa3}$_vVrf9f?S8`zDADADADADADADADADAdqP,تmMmg1V?rSI꒟]u|l RCyEf٢9 jURbztѰ!m5~tGj2DhG*{H9)꒟ר3:(+3\?/;TUݭʴ~S6lڧUJ*i$d(#=Yݺd{,p|3B))q:vN0Y.jkק6;SɶVzHJJЀ-utѹսk>QUU\޲~]fFnK?&ߡ5b=z9)^|u_k-[y%ZNU6 7Mi:]ۦtk[n X(e6Bb."8cۭ|~teuuw|ήI-5"~Uk;ZicEmN/:]M> cQ^uiƞ??Ңpc#TUU3UakNwA`:Y_V-8.KKfRitv޲* 9S6ֿj,ՃNOMߤ]z^fOh|<>@Å5 _/Iu?{SY4hK/2]4%it5q]GGe2%iR| W&f*^]??vq[LgE_3f}Fxu~}qd-ږFxu~I N>\;͗O֊:̗WJ@BhW=y|GgwܷH_NY?)Tdi'?խwhlmQi !SUUsw4kӺe4rfxu-[nHtMFj}H_u~w>)oV}(T'ebʒv3_[+vn@Ȭ\S}ot}w=kHFnxg S 0eޢm~l}uqZfFoZuuEg `zt~? b;t%>WTkķh[2eG8LIWx,^\thrl^Ϊ{=dž<}qV@ ⠨Wy^LF_>0UkDuʫuCs$)Iv:IK;6ֲ4{^6եm+l3>݆uM 9u?>Zc }g~qhKwڭeFMM~pМuqǿz6Tb@8@Y|jx](^]gf}M"tG -w.@vOqh~/HII`S[l.6nØXL9vUcOoB\xoǤ'T&IǍQw_wpv[kmO{w~>#=P1Pɞa-we:iǏlHo׈꒟f9SzH?+shk%Fs:qVhqY`jvO'ρ?PyX3lх]˾uV{ݞ]1,MzYNW~̈́ joYn}ȚF߾׮mS]F z+EDxm/d{F{-W-4wY듏:??_gPf ^3ecg ҵs8R2מz@TANGj)}CNi/R~}c:5{!ZHӋӾ6}T]G]7W6^n 9*,YqOZj:P?Q DFL|?-^.Ɵ7}fFh׶xe2Pscz1&5\cn[=Vn[ĶE鎀uˌd3GII k;lNmشOuuRVfBE]ۣeӶu :X-[(er4~LHi6:Ѻ@ԅrST0trk%$Č0ez" *z"T/X9|8.C5Feg}CQ%͞ˣJvL/?j^h&9xF`њZ(&yF&Iݻfg#W;3^{Wo^4'vV[[K';+mӍִ]AC@W?1^{එyh +^]fm~iԵ]AB@WTk̏t uR?l.OIHiYyԶ]Aˀ7c:q}ힽaf6Z~қm(+sK4{^6}T*UUu]n.:kx{:2 _m=sAߤU@?Z-Vކеz왍Nэ{|5 pڶn b p-@sPg]0G7fy-M{GCF'%{4`=$-Ge\ eU:m+Zt'WjO!OAF@ik&t݆ϥ_ e}=]"Wz_.͜E3leWFih|t-wZۍ-uw=6YN{6|} |*={Ѽn.S.z1zjۻTH]흾 DuDvmvK.`V]yY~sI@t?/ϓ. m&["+P?MzovVЫG3-GRR[(!!\_,^%?v@ҵő m`Y)tem8GMx.))A]Y i`ViW`?^~!S#^+ѽGZj?Vģ0.))A꨷lzL*]OXrY`DBBLOj{-MH'ii-ϰ ok7^ )쭡b]UXSְmռY|5*cֽk0B7镹%ڽP#8nȎq}mJr23_>lE5$iwui+ H~F`IjƵ@q \ @#qG0".0" l`„.0! ,AQHN6qzkKJ#o;`Xv2>,tێJJ7Z/*A .@fفjMzkg @TvZH3Zxu6Ra'%O?/dQ5xYkU]Rֽkق@DaS^RSּ5|BeHNN͘p HvcYcC5:y #`οb;z2.!kr}gUWkyZn=f Pvsn3p~;4p˚=ē~NmI] ¾ 0lH[_L hsh_ғߤc_њec)g7VIZ5yrgk̞W#IjӪv>՞y睝M8[|]\շ8M6%|@PZڨI-m>=k='aiRo-x?>Q.}`Ȏ:Wsmu u > .@,&;+!!˱tﭧDQwRW\vF\~Q7>spYw$%A~;~}6¾ g&if_=j,v+UL1(tWake:@Ș>j$Gq2t7S?vL|]u/ .(0E6Mk6hiۺzښOrifޱxm/Gx> Lal%%~{lBsR4*}{0Z/tNIɚpV^#Lf:u@k#RSu =S^ZyuR/.@n&΃z~B=0eg뺆#,Þ[B/?H uUf7y Wy}Bwegל`Wh(||`l`.;Ws?V@"c:iɍL֯PGv6zctM̠':wuW;d=;EveD}9J@B(0iհ bvP1{\P&G7D޴Iy_$-Qjm~Yrr&]CDv%bh|Yzni_ˆR;kg}nJOIIwyuL}{ЌNj}:+3Y?:WJ/N+Rzd=hb;dj͒suݔ@NKMԄ jqzC5@y°hL m;*5ezᕏ=ep XL n?מ:r`۵tŤZ|1v`V뽧_csج'ߤ%oTuumk%%%h)uy]Nk[n 'b2 l.=͜E%gf$[c;s:V-͞WߤWh-j7]4=F-X]>ZLSi[Y*We;Zan(ӇW|e(HNNP5[= r4tP &0<pc#`vTNV GFqvTi*Tyam$ߏWyE*VJKMTfFw>'$-ؽ.Ho.8c"@DADADADADADADADADA~j*֘,N;Pi3599h=goضLgiJ5փy~}&Zd9p֚ e:|hL``b/d9p? fgg+%%hMgXosج, ΩOl0Zh=xdjLmhݻoO[g_l,8a]٭+ӧ0$I]c]:粹:Teꢢ"5a^Kgh,&= =՟^߶“ߢE ܹS J}I%:8 IDAT~,9/ʃPW'Mo}zNƍ쨓zPbNZ~^z=4mswg;5 Y~SVMRXUյڱRf?s:w ;6H:ºi5-maM&O3;1IKeamZh͛7+##v+c ~u~ca]GnF'ټL~PPPbn voC4R,ӟgg %hq}@#M4IÇ Oy^xMZx ) yOw@HkN˖-Sǎmb]X@n+i͖!++K3gd\$mt$^YfJ\8PRF)77Wא!Cl$i:@@_oG I{$# 8磌ŋ91A (Im7֭>}ߴJq7ޗt^ -[ԩSj*}%]&' -ɓ'ꫯVzzvB#;a 7@GxI{j޼ƌ.LÇWBB7`O"I$/@R @eee@۷>}0,ɒ2$53Xs|cS~rpTYYY} kHc %&k.], @ADADADADADADADADA@lT<%''*Lo^={رc5h %$+CnܸQ3fҥK}vUVVs9G R,_{xˇ3o߾;TTTd}馛]uuuG~iԩ@4bnvmvfϞ /Peeeq}}za I~,誫{UWW뮻}_~YƍSMMMYχ֝waw\ďcxꩧtEƍկ_?۷5@u?1kNׯWzz/wy>}zj3 k(ٺuq_Zvf̘:~ ABQ&r|!%KҥKgԞ={<_X-z !CyFUUz~ ABQIIIjݺW$UXXDٳZ~ ABQƍecW$<(~<RSSvZujjjԧOZQu@4 8m&&&jԩg$ď1h ͟?_{768@g =@`)))5o6m3)ѣƌJ;wҿUTT /KZR{~a=@0o<*狔iFɶ[ˎ;T]]OX@?K.ۈxN pppppppppppppppppPfl߾] ,{ァk۶mڿo5BTӦMӴiӴ|r DB2e|An!Dy'tkΝ[A $***t5' "!駟oaDnΝ:t֭[gDШQ06qD;@ x M6v(PiizmZ4ew"@̴ixf [~-Fٱc&IZ2|n!?$@{[HTɏ#@hȎI# _m(F /6Z3z'\r,r!;w2Z3j=~GY7"I$iI.p_"?pN`y DD?: _  Gÿab7J !Bx@0 Bo cG@`1C[@0G @`0C_u V1 aCX>W ` | `!<S `"<. `#c`?cAC4 ?c p#~@0?:08&_MQ1J h#?/`7;I  q 7a wQ A 1 Hp !#<8/#@1Ul7=S=K.4Z?E_$i@!1!E4?`P_  @Bă10#: "aU,xbFY1 [n|n #'vEH:`xb #vD4Y hi.i&EΖv#O H4IŶ}:Ikh @tZRF#(tXҙzZ ?I3l7q@õ|ۍ1,GpuY Ꮿ@hJv#xxk$ v#9 5 }_$c S#=+"K{F*m7`#%H:NRSp6I?sIՖ{Ap$I$I:QRv2$Z @UJ*$]<FO4IENDB`